Your dealership’s privacy notice may seem like just another piece of paperwork, but it’s a vital part of your compliance plan. The federal and state consumer protection regulations that require privacy notices address a wide range of your dealership’s data handling and storage practices. Let’s go over the basics you need to know about them.
Why Are Privacy Notices Necessary?
Numerous laws and regulations require that dealers create and present a notice to inform consumers of their practices for collecting, using and sharing non-public personally identifiable information.
Privacy notices are generally based on the combined requirements of Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLB). However, dealerships should also take into account federal laws including the FTC Privacy Rule, FTC Affiliate Marketing Rule and the Driver’s Privacy Protection Act (DPPA) when creating their privacy notices.
States are stepping up to provide consumers with additional privacy protections, so it’s important for your privacy policy to address the state regulations that apply where your dealership does business.
Remember, always consult with your legal counsel to ensure compliance with all privacy policy requirements for your dealership.
What Should Privacy Notices Include?
The recommend best practice is to create your FCRA-GLB Privacy Notice using the FTC’s Model Consumer Privacy Online Form Builder. Your dealership’s privacy policy should explain what personal information you collect, how you collect and use the personal information, and what third parties (if any) can access the information. An important key is that your privacy notice should accurately describe the actual way you collect and share information every day, which means you need walk the talk!
Who Should Get A Privacy Notice?
You should give a privacy notice to every consumer who gives your dealership personal information, regardless of whether they end up purchasing a product or service.
When Should A Consumer Get Their Privacy Notice?
As the previous item implies, your dealership should be prepared to present privacy notices to potential customers before they become customers. That means consumers should receive a privacy notice before the dealer plans to collect, use or share their information. The timing can be tricky depending on how the consumer first begins interacting with your dealership, but be prepared to provide a privacy notice when someone first gives you their personal information, or as soon as possible after that. An integrated compliance software solution should provide you with a disclosure alert to ensure that you provide the privacy notice to the consumer at the proper time.
Where Have Privacy Notice Requirements Gotten Broader?
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. This law gives California consumers the right to know what personal information is collected about them, know how their personal information is being used, access a copy of their personal information, request that a business delete the personal information that was collected from them, and say no to having their personal information sold to third parties. There are also related online privacy requirements. The law applies to dealerships doing business in California that meet certain requirements, so consult with your legal counsel to determine your status and ensure that your privacy policy is compliant.
California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia—have enacted new data privacy and data security laws, many of which become effective in 2024. Several other states are considering legislation to enact similar laws.
Want to learn more about complying with privacy and customer information sharing regulations? Check out the 2024 Dealertrack Compliance Guide.